1. Purpose

Suna Communications Pty Ltd (trading as iRealty) takes the security of its platform and the data entrusted to it seriously. This policy sets out how external security researchers and members of the public can report suspected security vulnerabilities to iRealty in good faith, and how iRealty will respond.

iRealty welcomes responsible disclosure. We believe that coordinated reporting of vulnerabilities, before public disclosure, materially improves the security of our customers and the broader internet.

2. Scope

This policy applies to the following iRealty assets:

The iRealty platform and customer-facing application accessed via irealty.com.au and its subdomains.
The iRealty public website at https://irealty.com.au.
The iRealty production APIs that support the platform.

The following are out of scope and must not be tested under this policy:

Third-party services and infrastructure that iRealty relies on, including but not limited to AWS, Auth0, Google, Stripe, Xero, and GoHighLevel. Vulnerabilities in those services should be reported to the relevant vendor.
Social engineering of iRealty staff, customers, or partners, including phishing, vishing, and pretexting.
Physical attacks on iRealty offices, staff, or infrastructure.
Denial of service testing, including volumetric, application-layer, or resource exhaustion testing.
Automated scanning that generates excessive traffic or noise.
Vulnerabilities in customer content, where the issue is a misconfiguration or weak practice by an individual customer rather than a defect in the iRealty platform.

3. How to Report

Reports should be sent to security@irealty.com.au. The mailbox is monitored by the Head of Technology.

Please include the following in your report:

A clear description of the vulnerability and the affected asset or endpoint.
Steps to reproduce the issue, including any proof of concept code, screenshots, or sample requests.
Your assessment of the potential impact.
Your name or handle and a contact address if you wish to be credited or contacted.

iRealty will acknowledge receipt of your report within 5 business days. Acknowledgement is a confirmation that the report has been received and assigned for triage. iRealty does not commit to a fixed timeline for triage, remediation, or public disclosure, and will communicate progress on a best efforts basis.

4. Safe Harbour

If you act in good faith, comply with this policy, and stay within the scope and rules of engagement set out below, iRealty will not:

Initiate or support legal action against you in connection with your research.
Report your activity to law enforcement on the basis of your research alone.
Pursue civil action against you for accessing iRealty systems in the course of your research.

This safe harbour is a contractual undertaking by iRealty. It is not, and cannot be, a waiver of any statutory provisions or the rights of third parties. See section 7 below.

Safe harbour does not apply where a researcher exceeds the scope of this policy, breaches the rules of engagement, accesses or retains data beyond what is necessary to demonstrate a vulnerability, or acts with malicious intent.

5. Rules of Engagement

Researchers must comply with the following rules:

Do not perform destructive testing. Do not modify, delete, or corrupt data that does not belong to you.
Do not access, copy, or retain data beyond the minimum necessary to demonstrate the vulnerability. If you encounter personal information, stop, secure your evidence, and notify iRealty immediately.
Do not disrupt iRealty services or the experience of legitimate users. Do not run automated scanners that generate high volumes of traffic.
Do not publicly disclose the vulnerability, or share details with third parties, until iRealty has had a reasonable opportunity to remediate the issue. iRealty supports a 90 day coordinated disclosure window from the date of acknowledgement. If you believe a longer or shorter window is appropriate, please discuss this with us.
Do not use the vulnerability for any purpose other than reporting it to iRealty. Do not demand payment in exchange for disclosure.
Use test or research accounts that you have created and own. Do not access accounts or data belonging to other users.
Comply with all applicable laws of the jurisdiction in which you are operating.

6. Out of Scope Reports

Reports that fall outside the scope of this policy, or that do not describe a credible security issue, will receive a polite acknowledgement but no further engagement. Examples of reports iRealty does not action under this policy include marketing solicitations, low quality scanner output without supporting analysis, missing security headers that do not lead to a demonstrable impact, and best practice suggestions that do not describe a vulnerability.

7. Reference to Australian Law

Researchers operating in or interacting with Australia should be aware that even good faith security testing may engage provisions of the Criminal Code Act 1995 (Cth), including offences relating to unauthorised access to, modification of, or impairment of restricted data and electronic communications. State and territory legislation may also apply.

The safe harbour offered by iRealty in this policy is a contractual undertaking. It does not, and cannot, override Commonwealth or State law, the rights of third parties, or the obligations of iRealty under contracts with its customers and processors. Researchers are responsible for understanding the legal risks of their activity and should obtain independent legal advice if uncertain.

iRealty will, where appropriate and lawful, take into account a researcher’s good faith conduct and compliance with this policy when responding to any third party enquiry about their activity.

Contact

Security reports: security@irealty.com.au

Public policy: https://irealty.com.au/security-policy

machine readable: https://irealty.com.au/.well-known/security.txt